Data breach: key contents of the new regulation

By | Tuesday June 9th, 2015

Article 31 of the EU regulation proposal on personal data protection is aimed at making the notification of data breaches to the supervisory Authority mandatory for every controller, without undue delay. Of course, processors must notify, again without undue delay, every data breach to the controller to allow him to proceed.

The communications must include at least the qualification of the event and the description of the actions taken to oppose the data breach and mitigate its impact on the data subjects.

Everything must be documented in such a way that the Supervisory Authority can verify that the required security measures, according to article 30, are in place.

Article 32 states that, in case the data subject’s rights could be damaged by the data breach, the data subjects must also be informed of what happened and of the measures adopted to counter the data breach and mitigate its impact.

The decision to inform the data subjects is a controller’s choice but the supervisory Authority may decide to proceed on its own if it disagrees on the controller’s decision.

Some comments to close this short summary.

Fines in case the Regulation is not applied properly may be very high, but it is not just a matter of fines: the liability of a company towards its customers, employees and partners may lead to even greater damage through class actions or other compensation requests if the company is responsible for failing to properly protect the data.

Managing the disclosure of data breaches is not only a technical issue: it requires employee awareness, the proper implementation of processes and procedures and an organization capable of timely reactions to each event. It takes time and effort to have everything ready.

The Regulation states that disclosure must be done without undue delay from discovery, but the question remains on when the data breach begun. How long could the hackers have been walking around the databases before being stopped? The damage widely depends on such delay. And not only for private data.

Share with...Tweet about this on TwitterShare on LinkedInShare on Google+Share on Facebook
Category: Data Breach Tags: , , ,

About Sergio Fumagalli

Vice President Zeropiu Spa, system integrator specialized in digital identity and data security with operations in Italy and in the Nordics. After serving as MP in the Italian Parliament, I started a professional collaboration with the Data Protection Italian Authority and a professional activity on these topics. Co-author of “Privacy guida agli adempimenti”, IPSOA, 2004, 2005 a book on compliance to the Italian Law. Since 2008 member of the Oracle Community for Security - http://c4s.clusit.it/views/Homepage.html - and since 2014 member of the board of Clusit a leader association on IT Security in Italy Between 2004 and 2012 member of the board of Webank Spa, the online banc of the Banca Popolare di Milano group.

Leave a Reply